Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


The Path to HITRUST Certification: Five Reasons to Start Now

Apr 30, 2019

The HITRUST CSF® Assurance Program has become the standard for streamlining the third-party assurance process. This stems from HITRUST’s mission to address inefficiencies and inconsistencies in third-party assurance, an objective and journey that first began in 2007. Now, across the country, organizations rely on the HITRUST CSF Assurance Program to help with third-party risk management.

HITRUST® certification attempts to remedy the challenges organizations face in monitoring and assuring security requirements. The goal in introducing a standardized compliance process that’s confirmed by a qualified HITRUST Authorized External  Assessor is to unify and simplify the assurances both sides need and can support. 

Here are five big reasons now is the best time to start moving toward the new CSF program.

1. This Is Going to Take a While

HITRUST CSF certification generally takes 9-12 months to achieve from the initial gap assessment until the submission of the validated assessment for certification. This can vary between organizations depending on the initial state of their security program (i.e., how many gaps are identified in the gap assessment) and resources available to prepare for certification.

2. The Framework Has Already Been Provided

You’ll be reassured to know that a comprehensive framework for your journey has been developed. The HITRUST CSF is a framework that was prudently developed in collaboration with information security professionals. Because the steps have been rigorously outlined, you won’t have to guess your way through it or defer action because of uncertainty.

3. You Decide How Deep and Wide to Go

Yes, the HITRUST CSF is comprehensive, but it’s also flexible. It provides options for third-party assurance and the types of reporting, and it lets you weigh the overall scope. Making those right decisions, however, requires attentiveness and time for careful consideration.

4. You Don’t Have to Go It Alone

Choosing a HITRUST Authorized External Assessor at the outset is a valuable way to help your organization identify the proper scope and address gaps. The right External Assessor can help you determine the best path for meeting your client relationship needs while fitting your circumstances in the most cost-effective way possible.

5. For Maximum Leverage

Becoming certified is an industry differentiator and can be a point of entry to new customers. It demonstrates your commitment to security and reduces the time and volume of customer security questionnaire requests you receive. The sooner you’re committed to the process, the greater the opportunities for continued success.

Getting Started

As an Authorized External Assessor, Wipfli is uniquely qualified to help align and assess your compliance with all the different regulations your organization must meet. We apply the most current, widely recognized and industry-adopted standards to your security framework. Whether or not your organization actually adopts CSF, you can be confident you’re getting an assessment based on one of the industry’s most widely accepted approaches to regulatory compliance and risk management. The result is a focused engagement with relevant documentation that appropriately fits your organization.

To learn more or get started, contact us.


Paul J. Johnson, CPA
View Profile